Skip to main content

Repository Firewall Guided Setup

Repository Firewall users are overly cautious about turning on the capabilities due to the complexity of following all of the steps required to configure Repository Firewall. By not fully configuring the Repository Firewall to quarantine components, users are not receiving the full value of their Repository Firewall license.

The goals of the Firewall guided setup are as follows:

  • reduce the complexity of setting up a Repository Firewall

  • reduce the time to value by enabling the Repository Firewall protections right away

Requirements

The IQ Server versions listed can be self-hosted or cloud deployment

  • Repository Firewall in Nexus Repository Pro

    • IQ Server version 167 or greater

    • Nexus Repository Pro version 3.60 or greater

  • Firewall for Artifactory Plugin

    • IQ Server version 168 or greater

    • Firewall for Artifactory plugin version 2.4.8 or greater

Limitations

  • The guided setup is currently intended only to run once for each connected repository manager

  • Resetting the guided setup is not available at this time

Getting Started

The guided setup is kicked off automatically upon login to the IQ Server as soon you configure a new instance of IQ Server in your repository manager.

Use the following steps for Nexus Repository 3 Pro:

  1. Log in to the Nexus Repository 3 Pro instance with administrator access

  2. Select the administration cog from the main menu

  3. Select IQ Server from the Administration section of the side menu

  4. Complete the IQ Server setup form

    1. Select the Enable the Use of IQ Server box

    2. Add your IQ Server URL

    3. Select an authentication method

      1. User Authentication: enter the IQ Server username and password

      2. PKI Authentication: delegate to the JVM for authentication

    4. Select Save

  5. Select Verify Connection to test the configuration

Note

We recommend using a service account when connecting Nexus Repository to the IQ Server in production environments. Consider generating user tokens as an added layer of security.

At a minimum, this account requires access to the Evaluate Individual Components permission at the Repository Managers level in IQ Server Org and Policies.

Leave the following configuration options blank unless directed by Sonatype support:

  • Properties, Connection Timeout

Use the following steps for Firewall for Artifactory:

  1. Add the IQ Server connection details to the "firewall.properties" file

  2. Alternatively, use the REST API to update the connection details after the plugin has been installed

Steps for the Repository Firewall Guided Setup

The Repository Firewall guided setup is launched by logging in as a user with "Edit IQ Elements" permissions for Repositories in the IQ Server. The setup will guide you through the following series of pages to configure protection:

  1. Enable Repository Firewall Rules

  2. Selecting Proxy Repositories

  3. Selecting Hosted Repositories

  4. Reviewing the Configuration

Step 1: Enable Repository Firewall Rules

This page allows you to enable the following Firewall protection on the Nexus Repository instance. Our recommendation is to enable protection from supply chain attacks and namespace confusion.

Supply Chain attack protection

  • The selection on this page allows this capability to be enabled on selected proxy repositories

  • The selection of proxy repositories where you wish to apply this capability is done in step 2

Namespace confusion protection

  • The selection on this page allows this capability to be enabled on selected proxy repositories.

  • The selection of hosted repositories to get the namespace from to enable this protection is done in step 3

Step 2: Selecting Proxy Repositories

Select the public-facing proxy repositories from which you are proxying open-source components. The selections on this page will enable supply chain attack protection and namespace attack protection on the selected repositories.

Select ‘Continue’ when ready to move to the next step

Step 3: Selecting Hosted Repositories

Select the hosted repositories with internal artifacts for which you want to restrict their namespaces from public-facing repositories.

Select ‘Continue’ when ready to move to the next step

Step 4: Reviewing the Configuration

Review the configuration, and select 'Launch Firewall'